From 4f8bdce56c34fd8dcf7fb4b80db2c0cdc2ca8bd2 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 12 Apr 2025 18:41:15 +0530 Subject: [PATCH] removed audit templates --- .../mongodb/mongodb-audit-log-disabled.yaml | 57 ----------------- .../audit/mongodb/mongodb-auth-disabled.yaml | 55 ----------------- .../mongodb-http-interface-enabled.yaml | 57 ----------------- .../audit/mongodb/mongodb-ssl-disabled.yaml | 57 ----------------- javascript/audit/mysql/mysql-load-file.yaml | 61 ------------------- javascript/audit/ssh/change-default-port.yaml | 51 ---------------- .../audit/ssh/disable-empty-password.yaml | 51 ---------------- javascript/audit/ssh/disable-root-login.yaml | 50 --------------- .../audit/ssh/disable-ssh-forwarding.yaml | 50 --------------- .../audit/ssh/disable-ssh-protocol-1.yaml | 51 ---------------- .../ssh/enable-ssh-privilege-separation.yaml | 51 ---------------- .../ssh/hide-last-login-information.yaml | 51 ---------------- .../audit/ssh/idle-timeout-interval.yaml | 51 ---------------- javascript/audit/ssh/limit-ssh-group.yaml | 51 ---------------- .../audit/ssh/limit-ssh-users-access.yaml | 51 ---------------- .../audit/ssh/ssh-key-auth-disabled.yaml | 51 ---------------- .../ssh/ssh-unrestricted-nonwhitelist.yaml | 51 ---------------- .../apache/disable-directory-listing.yaml | 59 ------------------ .../apache/disable-http-trace-method.yaml | 58 ------------------ .../apache/disable-server-header.yaml | 58 ------------------ .../apache/disable-server-signature.yaml | 58 ------------------ .../apache/enforce-server-tokens-prod.yaml | 58 ------------------ .../nginx/disable-nginx-server-tokens.yaml | 56 ----------------- .../nginx/missing-nginx-bof-protection.yaml | 54 ---------------- .../webserver/nginx/missing-nginx-hsts.yaml | 56 ----------------- .../nginx/missing-nginx-rate-limit.yaml | 56 ----------------- .../nginx/missing-nginx-xss-protection.yaml | 54 ---------------- 27 files changed, 1464 deletions(-) delete mode 100644 javascript/audit/mongodb/mongodb-audit-log-disabled.yaml delete mode 100644 javascript/audit/mongodb/mongodb-auth-disabled.yaml delete mode 100644 javascript/audit/mongodb/mongodb-http-interface-enabled.yaml delete mode 100644 javascript/audit/mongodb/mongodb-ssl-disabled.yaml delete mode 100644 javascript/audit/mysql/mysql-load-file.yaml delete mode 100644 javascript/audit/ssh/change-default-port.yaml delete mode 100644 javascript/audit/ssh/disable-empty-password.yaml delete mode 100644 javascript/audit/ssh/disable-root-login.yaml delete mode 100644 javascript/audit/ssh/disable-ssh-forwarding.yaml delete mode 100644 javascript/audit/ssh/disable-ssh-protocol-1.yaml delete mode 100644 javascript/audit/ssh/enable-ssh-privilege-separation.yaml delete mode 100644 javascript/audit/ssh/hide-last-login-information.yaml delete mode 100644 javascript/audit/ssh/idle-timeout-interval.yaml delete mode 100644 javascript/audit/ssh/limit-ssh-group.yaml delete mode 100644 javascript/audit/ssh/limit-ssh-users-access.yaml delete mode 100644 javascript/audit/ssh/ssh-key-auth-disabled.yaml delete mode 100644 javascript/audit/ssh/ssh-unrestricted-nonwhitelist.yaml delete mode 100644 javascript/audit/webserver/apache/disable-directory-listing.yaml delete mode 100644 javascript/audit/webserver/apache/disable-http-trace-method.yaml delete mode 100644 javascript/audit/webserver/apache/disable-server-header.yaml delete mode 100644 javascript/audit/webserver/apache/disable-server-signature.yaml delete mode 100644 javascript/audit/webserver/apache/enforce-server-tokens-prod.yaml delete mode 100644 javascript/audit/webserver/nginx/disable-nginx-server-tokens.yaml delete mode 100644 javascript/audit/webserver/nginx/missing-nginx-bof-protection.yaml delete mode 100644 javascript/audit/webserver/nginx/missing-nginx-hsts.yaml delete mode 100644 javascript/audit/webserver/nginx/missing-nginx-rate-limit.yaml delete mode 100644 javascript/audit/webserver/nginx/missing-nginx-xss-protection.yaml diff --git a/javascript/audit/mongodb/mongodb-audit-log-disabled.yaml b/javascript/audit/mongodb/mongodb-audit-log-disabled.yaml deleted file mode 100644 index fb04c27313f..00000000000 --- a/javascript/audit/mongodb/mongodb-audit-log-disabled.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: mongodb-audit-log-disabled - -info: - name: MongoDB Audit Logging Disabled - author: pussycat0x - severity: high - description: | - Ensures MongoDB audit logging is enabled. - remediation: | - Set 'auditLog.destination: file' and specify 'path' in /etc/mongod.conf. - reference: - - https://wiki.devsecopsguides.com/docs/checklists/mongodb/ - - https://www.mongodb.com/docs/manual/tutorial/configure-audit-filters/ - metadata: - verified: true - tags: mongodb,audit,ssh,auth,hardening - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const MongoConfig = c.Run(Code) - MongoConfig - let result = ""; - if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("#auditLog:")) { - result += "MongoDB Audit Log Disabled"; - } else { - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - Code: cat {{path}} - - payloads: - path: - - /etc/mongod.conf - - /usr/local/etc/mongod.conf - - /opt/homebrew/etc/mongod.conf - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a0047304502200c409317ef4f20bd0f95e4f918e9418223c4243124462484ad14db605fda9a7b022100889f260f7597bb9e2f97f1eca0952a7cdc12e7c8b358e13fbc487eb8126bce86:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/mongodb/mongodb-auth-disabled.yaml b/javascript/audit/mongodb/mongodb-auth-disabled.yaml deleted file mode 100644 index 15400866db3..00000000000 --- a/javascript/audit/mongodb/mongodb-auth-disabled.yaml +++ /dev/null @@ -1,55 +0,0 @@ -id: mongodb-auth-disabled - -info: - name: MongoDB Authentication Disabled - author: pussycat0x - severity: high - description: | - Detects if MongoDB authentication is disabled or missing in mongod.conf. - If 'authorization: enabled' is missing under 'security:', authentication is not enforced. - reference: - - https://wiki.devsecopsguides.com/docs/checklists/mongodb/ - metadata: - verified: true - tags: mongodb,audit,ssh,auth,hardening - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const MongoConfig = c.Run(Code) - MongoConfig - let result = ""; - if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("#security") && !MongoConfig.includes("authorization: enabled")) { - result += "MongoDB Auth Disabled"; - } else { - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - Code: cat {{path}} - - payloads: - path: - - /etc/mongod.conf - - /usr/local/etc/mongod.conf - - /opt/homebrew/etc/mongod.conf - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a004730450221008185a9e90eb7e1e9bbd42dfef4078aced5cf8967e0312817328688982f9ff527022051079da7a4bc86a726de720394ee9c99a717b3f3f4efb9bd654832217b5a963e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/mongodb/mongodb-http-interface-enabled.yaml b/javascript/audit/mongodb/mongodb-http-interface-enabled.yaml deleted file mode 100644 index bcb5c24b580..00000000000 --- a/javascript/audit/mongodb/mongodb-http-interface-enabled.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: mongodb-http-interface-enabled - -info: - name: MongoDB HTTP Interface Enabled - author: pussycat0x - severity: high - description: | - Checks if the MongoDB HTTP interface is enabled in /etc/mongod.conf. - remediation: | - Set 'http.enabled: false' in /etc/mongod.conf and restart MongoDB. - reference: - - https://wiki.devsecopsguides.com/docs/checklists/mongodb/ - - https://www.mongodb.com/docs/manual/reference/configuration-options/ - metadata: - verified: true - tags: mongodb,config,file,audit,ssh,auth,hardening - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const MongoConfig = c.Run(Code) - MongoConfig - let result = ""; - if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("http:") && MongoConfig.includes("enabled: true")) { - result += "MongoDB HTTP Interface Enabled"; - } else { - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - Code: cat {{path}} - - payloads: - path: - - /etc/mongod.conf - - /usr/local/etc/mongod.conf - - /opt/homebrew/etc/mongod.conf - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 490a00463044022051a6ac33d0867419d947cad61ed77488f483d432d77ba1de1c3d09e9ca39f789022014ac665ebd72c97eb7cbd0bbe190c744a7b170400a7233eea52999ecdd69041e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/mongodb/mongodb-ssl-disabled.yaml b/javascript/audit/mongodb/mongodb-ssl-disabled.yaml deleted file mode 100644 index 339af49b8e1..00000000000 --- a/javascript/audit/mongodb/mongodb-ssl-disabled.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: mongodb-ssl-disabled - -info: - name: MongoDB SSL Disabled - author: pussycat0x - severity: high - description: | - Ensures MongoDB uses SSL/TLS for secure connections. - remediation: | - Set 'net.ssl.mode: requireSSL' and define 'PEMKeyFile' in /etc/mongod.conf. - reference: - - https://wiki.devsecopsguides.com/docs/checklists/mongodb/ - - https://www.mongodb.com/docs/manual/tutorial/configure-ssl/ - metadata: - verified: true - tags: mongodb,audit,ssh,auth,hardening - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const MongoConfig = c.Run(Code) - MongoConfig - let result = ""; - if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("ssl:") && MongoConfig.includes("mode: requireSSL") && !MongoConfig.includes("mode: disabled")) { - result += "MongoDB SSL Disabled"; - } else { - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - Code: cat {{path}} - - payloads: - path: - - /etc/mongod.conf - - /usr/local/etc/mongod.conf - - /opt/homebrew/etc/mongod.conf - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100a47fb4ff86a5acf7ce8b0f01af5020f925744777251546997505455db8959990022025cd23417b236086b244801f5841660a86b845ca0a6f390bf27ab7332b4ec946:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml deleted file mode 100644 index de817116d5c..00000000000 --- a/javascript/audit/mysql/mysql-load-file.yaml +++ /dev/null @@ -1,61 +0,0 @@ -id: mysql-load-file -info: - name: MySQL LOAD_FILE - Enable - author: pussycat0x - severity: high - description: | - The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities. - reference: - - https://nmap.org/nsedoc/scripts/mysql-databases.html - metadata: - verified: true - max-request: 16 - shodan-query: "port:3306" - tags: js,mysql,network,audit - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - let m = require('nuclei/mysql'); - let c = m.MySQLClient(); - let response = c.ExecuteQuery(Host,Port,User,Pass,Query); - Export(response); - - args: - Host: "{{Host}}" - Port: "3306" - Query: SELECT LOAD_FILE('/etc/passwd') - User: "{{usernames}}" - Pass: "{{passwords}}" - - payloads: - usernames: - - root - - admin - - mysql - - test - passwords: - - root - - admin - - mysql - - test - attack: clusterbomb - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - success == true - - - type: word - words: - - "root:x:" - - extractors: - - type: json - part: response - json: - - .Rows[] -# digest: 4a0a004730450221009ad416364c3679ae98d7f27001407c284157e5ee85cfcea19ed1d53e4119128d02205a3741b7625ca7a9c74d10f76c99007e382188b80f5d6c7cadcf28d583b727e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/change-default-port.yaml b/javascript/audit/ssh/change-default-port.yaml deleted file mode 100644 index d66404cbf40..00000000000 --- a/javascript/audit/ssh/change-default-port.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: change-default-port - -info: - name: Change SSH Default Port - author: pussycat0x - severity: info - description: | - Reduces Automated Attacks: Changing the default port can help avoid most automated attacks that target port 22. - remediation: | - Set Port 2222 in /etc/ssh/sshd_config to change the default SSH port and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://gcore.com/learning/how-to-change-ssh-port/ - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('#Port 22') && !sshConfig.includes('Port ')) { - result += "Default SSH Port Detected; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100b8bb63087a69512d1c645d43a523120deacae3ae090c2bf1980a4fc7b582affb0220784836e7371a3dcab75a9b1998013603031386aa936a345b42a3581a8e336e9d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/disable-empty-password.yaml b/javascript/audit/ssh/disable-empty-password.yaml deleted file mode 100644 index 1c5e45f2ce5..00000000000 --- a/javascript/audit/ssh/disable-empty-password.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: disable-empty-password - -info: - name: Disable SSH Empty Password - author: pussycat0x - severity: high - description: | - Allowing empty passwords in SSH poses a severe security risk, enabling unauthorized access, brute-force attacks, and potential system compromise. It should always be disabled to prevent unauthorized logins. - remediation: | - Set PermitEmptyPasswords no in /etc/ssh/sshd_config to disable empty password logins and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-sshd-disable-empty-passwords/ - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('PermitEmptyPasswords yes')) { - result += "Disable SSH Empty Password Access"; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4b0a0048304602210090f1b075340725c5e0a63dc65dabe176c1185bccf08e593976fd35572de9100802210093ed51e2c2f2b957243fb609c5c987ec849446151f7e846ca72cb7b91a89a01f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/disable-root-login.yaml b/javascript/audit/ssh/disable-root-login.yaml deleted file mode 100644 index 61e7fdc4ceb..00000000000 --- a/javascript/audit/ssh/disable-root-login.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: disable-root-login - -info: - name: Disable SSH Root Login - author: pussycat0x - severity: high - description: | - Disabling direct root login can help prevent unauthorized users from gaining full control over your system. - remediation: | - Set PermitRootLogin no in /etc/ssh/sshd_config to disable root login and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/ - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('PermitRootLogin yes')) { - result += "Disable SSH Root Login; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100aa61482bf6e32c32117c1183f432c3d4b7df59f098114ccc7569ff25f568e42502206f613044bce918573618fd6ace79bf634f30823e8d9e6e959d3e2199e15e53cb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/disable-ssh-forwarding.yaml b/javascript/audit/ssh/disable-ssh-forwarding.yaml deleted file mode 100644 index 76eaed0967e..00000000000 --- a/javascript/audit/ssh/disable-ssh-forwarding.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: disable-ssh-forwarding - -info: - name: Disable SSH Forwarding - author: pussycat0x - severity: unknown - description: | - SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials. - remediation: | - Set X11Forwarding no and AllowTcpForwarding no in /etc/ssh/sshd_config to disable SSH forwarding and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port) - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('AllowTcpForwarding yes') && !sshConfig.includes('#AllowTcpForwarding yes') || sshConfig.includes('X11Forwarding yes')) { - result += "Disable SSH Forwarding;"; - } - else { - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100dc6908d6ef4bdff577247d002afeba2f2a2f0f4c6e8363603e4c60c46e452926022017929a72f04ee161a3700626a49ae427a6cdaaf14383292d3dd6c972d7dcb70f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/disable-ssh-protocol-1.yaml b/javascript/audit/ssh/disable-ssh-protocol-1.yaml deleted file mode 100644 index 611afe0a5a1..00000000000 --- a/javascript/audit/ssh/disable-ssh-protocol-1.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: disable-ssh-protocol-1 - -info: - name: Disable SSH Protocol 1 - author: pussycat0x - severity: low - description: | - Using SSH Protocol 1 is insecure as it lacks strong encryption and integrity checks, making it vulnerable to man-in-the-middle attacks, session hijacking, and other exploits. It is recommended to use SSH Protocol 2 for enhanced security. - remediation: | - Set Protocol 2 in /etc/ssh/sshd_config to disable SSH Protocol 1 and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://www.ktchost.com/blog/enable-ssh-protocol-2/ - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port) - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (!sshConfig.includes('Protocol 2')) { - result += "Disable SSH Protocol 1; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4b0a00483046022100a88133d800dc6c1178ceaa1411b527702f8644de63f384b2bca2d54a77e8d31b022100a136ac30c206fda2df328c01216b03ed6a37abec49b0a25a8f0c9faa457e2850:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/enable-ssh-privilege-separation.yaml b/javascript/audit/ssh/enable-ssh-privilege-separation.yaml deleted file mode 100644 index 7f41d11411f..00000000000 --- a/javascript/audit/ssh/enable-ssh-privilege-separation.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: enable-ssh-privilege-separation - -info: - name: Enable Privilege Separation in SSH - author: pussycat0x - severity: unknown - description: | - Privilege separation in SSH enhances security by running the SSH daemon with minimal privileges, reducing the risk of privilege escalation. It limits the impact of vulnerabilities, preventing full system compromise if SSH is exploited. - remediation: | - Set UsePrivilegeSeparation yes in /etc/ssh/sshd_config to enhance security and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-258010 - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (!sshConfig.includes('UsePrivilegeSeparation yes')) { - result += "Enable Privilege Separation in SSH"; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100f47ff8b921616e92693abe8151aa3b00f4744344aa3358e2badf6fd6c8944c170220065572cb418354904aa61203a171bda7123166b149077937d24c312078b196e5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/hide-last-login-information.yaml b/javascript/audit/ssh/hide-last-login-information.yaml deleted file mode 100644 index fd39b47d8ed..00000000000 --- a/javascript/audit/ssh/hide-last-login-information.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: hide-last-login-information - -info: - name: Hide SSH Last Login Information - author: pussycat0x - severity: unknown - description: | - SSH last login information helps detect unauthorized access but may expose user activity details to attackers. - remediation: | - Set PrintLastLog no in /etc/ssh/sshd_config to disable last login information and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441 - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (!sshConfig.includes('PrintLastLog no')) { - result += "Hide SSH Last Login Information; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100a6a2316223724c672bd024f69d4dfbc7f32d17a399b2ecd148a10adee5eef0a702203c89eb525cbe0706d5e66ce0b199781d4774427b4dececea02ca9b6abefc15b4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/idle-timeout-interval.yaml b/javascript/audit/ssh/idle-timeout-interval.yaml deleted file mode 100644 index f9e32c4b5b3..00000000000 --- a/javascript/audit/ssh/idle-timeout-interval.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: idle-timeout-interval - -info: - name: Set SSH Idle Timeout Interval - author: pussycat0x - severity: low - description: | - Missing an SSH idle timeout interval can lead to security risks by allowing unattended sessions to remain open, increasing the chance of unauthorized access or session hijacking. - remediation: | - Set ClientAliveInterval 300 and ClientAliveCountMax 0 in /etc/ssh/sshd_config to enforce an idle timeout and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://support.forcepoint.com/s/article/000015900 - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('#ClientAliveInterval') && sshConfig.includes('#ClientAliveCountMax') && !sshConfig.includes('ClientAliveInterval ') && !sshConfig.includes('ClientAliveCountMax ')){ - result += "Set SSH Idle Timeout Interval"; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a00473045022100bf9a2fe48184cc61b2acaa709af5dd53f1ad7266dd4f8114200692210f6efd2202207f3942d6d0ff7ab6a301ce5e0c1fa29ccd14bf3425adcb54cf7b80def71b5d1b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/limit-ssh-group.yaml b/javascript/audit/ssh/limit-ssh-group.yaml deleted file mode 100644 index c989f7c22b2..00000000000 --- a/javascript/audit/ssh/limit-ssh-group.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: limit-ssh-group - -info: - name: Limit SSH Users Group Access - author: pussycat0x - severity: unknown - description: | - Limiting SSH user group access enhances security by restricting login permissions to authorized groups, reducing the attack surface and preventing unauthorized access. - remediation: | - Ensure only necessary users are listed in AllowUsers within /etc/ssh/sshd_config, then restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (!sshConfig.includes('AllowGroups')){ - result += "Limit SSH Users Group Access; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 490a0046304402200f92b3878984629518e1273af1410e7c952b53692df85e4e4fbecbe535b18043022062c92bfc1503feff994ca2314293fc1c6457ef6c605d384c96dd56ac0860f149:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/limit-ssh-users-access.yaml b/javascript/audit/ssh/limit-ssh-users-access.yaml deleted file mode 100644 index ca5b70006f3..00000000000 --- a/javascript/audit/ssh/limit-ssh-users-access.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: limit-ssh-users-access - -info: - name: Limit SSH Users Access - author: pussycat0x - severity: unknown - description: | - Restricting SSH user access improves security by allowing only authorized users to connect, reducing the risk of unauthorized logins and potential attacks. - remediation: | - Restrict SSH access by configuring AllowUsers or AllowGroups in /etc/ssh/sshd_config and restart the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (!sshConfig.includes('AllowUsers')){ - result += "Limit SSH Users Access; "; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4b0a00483046022100e5ca1199361b834994bf2db56bfe92380bef7598ae6ef39791c04bf96be2f199022100a5c92bcfd2ffef3d361341ec13958ae565ee54727b0e0cec624b66c33e5a7ac7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/ssh-key-auth-disabled.yaml b/javascript/audit/ssh/ssh-key-auth-disabled.yaml deleted file mode 100644 index 6e16b028a16..00000000000 --- a/javascript/audit/ssh/ssh-key-auth-disabled.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: ssh-key-auth-disabled - -info: - name: SSH Key-Based Authentication - Disabled - author: pussycat0x - severity: low - description: | - SSH key-based authentication is disabled, allowing password-based logins, which increases the risk of brute-force attacks and unauthorized access. - remediation: | - Enable SSH key-based authentication by adding the public key to ~/.ssh/authorized_keys and disabling password authentication in /etc/ssh/sshd_config (PasswordAuthentication no). - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('#PasswordAuthentication yes') && !sshConfig.includes('PasswordAuthentication yes')){ - result += "SSH Key-Based Authentication Disabled"; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4b0a00483046022100e74a6f1240b37c11e994a870993eda924e977fde4ca97ad003f6350c14e4eefe022100d2ccd197706d61fcf871d63bccc809641c470f082b10c3f75dd3e6ee9cd3fd93:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/ssh/ssh-unrestricted-nonwhitelist.yaml b/javascript/audit/ssh/ssh-unrestricted-nonwhitelist.yaml deleted file mode 100644 index 4862b37843d..00000000000 --- a/javascript/audit/ssh/ssh-unrestricted-nonwhitelist.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: ssh-unrestricted-nonwhitelist - -info: - name: Unrestricted SSH Access from Non-Whitelisted IPs - author: pussycat0x - severity: unknown - description: | - SSH access is not restricted to specific IP addresses, allowing connections from any source. This increases the risk of unauthorized access and brute-force attacks. - remediation: | - Restrict SSH to specific IPs in /etc/ssh/sshd_config by setting ListenAddress and restarting the SSH service. - reference: - - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f - - https://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html - metadata: - verified: true - tags: audit,config,ssh,auth - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const sshConfig = c.Run('cat /etc/ssh/sshd_config') - sshConfig - let result = ""; - if (sshConfig.includes('#ListenAddress') && !sshConfig.includes('ListenAddress ')){ - result += "SSH access restriction not enforced"; - } - else{ - exit(); - } - result - - args: - Host: "{{Host}}" - Port: "22" - User: "{{usernames}}" - Pass: "{{passwords}}" - - matchers: - - type: dsl - dsl: - - "success == true" - - extractors: - - type: dsl - dsl: - - response -# digest: 4b0a00483046022100e083bd557c319077edc862d63ff616e5f3b16c97993aa815fc99275c3d0b8681022100b655fa349c18a03be6a56866c42c56cdc6829c22ebf02f09b2d625e2b7119452:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/javascript/audit/webserver/apache/disable-directory-listing.yaml b/javascript/audit/webserver/apache/disable-directory-listing.yaml deleted file mode 100644 index 5ec58f0711a..00000000000 --- a/javascript/audit/webserver/apache/disable-directory-listing.yaml +++ /dev/null @@ -1,59 +0,0 @@ -id: disable-directory-listing - -info: - name: Disable Directory Listing in Apache2 - author: pussycat0x - severity: medium - description: | - Directory listing should be disabled to prevent unauthorized users from browsing server directories. - remediation: | - Add 'Options -Indexes' in the Apache configuration file or .htaccess file. - reference: - - https://wiki.devsecopsguides.com/docs/checklists/apache/ - - https://httpd.apache.org/docs/2.4/mod/core.html#options - metadata: - verified: true - tags: audit,config,auth,apache,hardening - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - var m = require("nuclei/ssh"); - var c = m.SSHClient(); - c.Connect(Host,Port,User,Pass); - const ApacheConfig = c.Run(Code) - ApacheConfig - let result = ""; - const regex = /\bOptions\s+Indexes\b(?!\s+FollowSymLinks)/; - if (ApacheConfig.includes("